Web Security Series – XSS Attack

The article was first published on the public account: Brick mover on Haitian 2nd Road

1. What is XSS attack

XSS (Cross-site scripting) attack, that is, cross-site scripting attack.

Attackers inject malicious code into the victim’s browser to attack the victim’s login credentials, steal sensitive information, or control the victim’s session.

XSS attacks are a common type of web application attacks.

2. Analysis of different types and principles of XSS attacks

Depending on the attacker’s role and attack vector, XSS attacks can be divided into three types:

Attack Vector Attacker Role
Reflected XSS attack Web pages or links created by attackers can induce the attacker to open a certain web page
Stored XSS attack Web application used by the attacker and the attacked User of the website to be attacked
DOM type XSS attack The DOM elements of the target website are maliciously modified Ordinary users

3. Reflected XSS attack

1. What is a reflected XSS attack

A reflected XSS attack is to add an injected malicious script to a URL and then send the URL to the user. Once the user opens this URL, the script is executed and leads to the attack. Attack payloads and scripts follow a user’s click on a link and are embedded in the response, executing on the browser.

2. Principles & steps of reflected XSS attacks

  1. The attacker constructs a link with a malicious script whose link parameters contain user input.
  2. Send the link to the victim.
  3. When the victim clicks on the link, the malicious script will be parsed and executed by the browser, thereby executing the attacker’s intent.

3. Examples of XSS attacks

(1) The attacker customizes the following link for a search page of www.example.com

http://www.example.com/search?query=<script>alert('XSS')</script>

(2) The attacker sends the connection to the attacker

(3) After the attacker clicks on the link, the embedded XSS script will be executed to achieve the attacker’s intention. (For example, go to the user Session later)

External link image transfer failed, the source site may There is anti-theft Chain mechanism, it is recommended to save the picture and upload it directly

4. How to prevent and defend against XSS attacks

From the perspective of web application construction, XSS attacks can be prevented through the following measures

  • **Strong verification & filtering of input parameters: **The server performs strong verification of parameters, checks whether there are unsafe characters or scripts (carrot, <,>,/, etc.), and filters them out. All malicious codes will be replaced with the corresponding characters and they will be prohibited from executing against the user’s browser.
  • **Output encoding/escaping:** When returning user input as a message from the server, make sure that special characters in HTML tags and script code such as JavaScript are escaped or encoded. For example, encode characters such as <> as < and > to avoid them being interpreted by browsers as HTML tags.
  • **Using HTTPOnly cookies: **The HTTPOnly cookie cannot be accessed when the request is not made by an attacker exploiting a script-based execution language, nor can it be accessed through document.cookie. This can effectively reduce the pressure of reflected XSS.
  • **Use security controls:** For special pages (such as login pages), use verification codes and other security controls.

From the user’s perspective, XSS attacks can be prevented through the following measures

  • Prompt users to be careful about the existence of malicious links and prevent users from clicking on malicious links without realizing the danger.
  • Browser-side X-XSS-Protection: This is a defense provided by modern browsers that automatically blocks reflected XSS attacks when they are detected and provides options to prevent the attacks. Websites using this feature need to set the X-XSS-Protection header and set it to 1 to enable this feature: X-XSS-Protection: 1; mode=block.

4. Stored XSS attack

1. What is a stored XSS attack

A stored XSS attack occurs when an attacker submits a malicious script to the database of a victim website. When other users browse pages containing links to the malicious script, the script will be executed, allowing the attacker to achieve their goals.

Since the malicious script is stored in the database, all users who visit the page containing the malicious code are vulnerable to the attack. And this type of attack is difficult to solve.

2. Principles & steps of stored XSS attacks

(1) The attacker looks for vulnerable input forms on the victim website, such as comment boxes or search boxes.

(2) The attacker inserts malicious code or script into the input form so that it is stored in the database when the form is submitted. For example, an attacker could insert a piece of JavaScript code in a comment box that could be used to steal session identifiers stored in cookies.

(3) The website receives form data containing malicious code and stores it in the database. At this point, the attacker’s malicious code has been written into the database and saved.

(4) When the victim visits the page containing malicious code, the malicious code is extracted from the database and executed on the victim’s browser, triggering the operation set by the attacker.

(5) The attacker uses the victim user’s session tag to obtain the victim’s identity and sensitive information. For example, a malicious script could be used to steal a user’s personal information, login credentials, or credit card information and send it to the attacker.

External link image transfer failed, the source site may be defensive steal Chain mechanism, it is recommended to save the picture and upload it directly

3. How to defend against stored XSS attacks

Stored XSS attacks are generally harder to prevent than reflected XSS attacks. Here are a few common defenses:

  • **Input filtering and validation: **Strong validation of user input. Filter unsafe characters, verify whether the data type, length and format are legal, and prevent unsafe data from being stored.
  • **Output encoding/escaping:** Before outputting user data, the data is encoded and escaped. HTML or URL encoding can be used to handle special characters, scripts, and tags to prevent malicious code from being executed.
  • **Defensive programming:** Use secure APIs, utilize authentication mechanisms, and restrict access controls.
  • **CSP: **Content Security Policy can set whitelists and blacklists to limit the types and sources of resources loaded on the page to prevent malicious scripts and styles from being loaded.
  • **Use HTTPS: **Using HTTPS prevents attackers from stealing information such as session identifiers and sensitive data in transit.
  • **Restrict and control user input: **Restrict the content, length, and format of data that users can enter. For example, you can use the pattern attribute provided by the HTML5 input tag to limit the data type and format that the user inputs.

The best defenses against stored XSS attacks are:

Never trust the front end, never trust user input.

5. DOM type XSS attack

1. What is DOM type XSS attack

DOM-type XSS attack is a cross-site attack that exploits security vulnerabilities in the DOM-based HTML parsing process.

DOM-type XSS attacks do not involve the participation of the server and are completely based on the client-side mechanism. The attacker achieves the purpose of the attack by tampering with the DOM elements and attributes in the web page and injecting malicious code.

2. Principles and steps of DOM-type XSS attacks

The process of a DOM-type XSS attack is very similar to a reflected XSS attack. The main difference is that the reflected XSS will pass the attack script to the server, while the DOM-type XSS does not need to, thus bypassing the WAF and avoiding server-side detection.

DOM-type XSS attacks are usually divided into the following steps:

  1. An attacker tricks a user into visiting a malicious website or a legitimate website across sites.
  2. JavaScript scripts in websites combine user-entered data into DOM fragments.
  3. The attacker tampered with DOM fragments or modified DOM attributes, injected malicious scripts, and thus performed illegal behaviors.
  4. When the browser parses the DOM fragment, the malicious script is executed, allowing the malicious code to be executed.
  5. The attacker successfully stole sensitive user information or completed other illegal operations.

3. How to defend against DOM-type XSS attacks

DOM-type XSS attacks can be defended by the following measures:

  • **Input filtering and validation: **Strong validation of user input. Filter unsafe characters, verify whether the data type, length and format are legal, and prevent unsafe data from being stored.
  • **Output encoding/escaping:** Before outputting user data, the data is encoded and escaped. HTML or URL encoding can be used to handle special characters, scripts, and tags to prevent malicious code from being executed.
  • **Use innerText or textContent instead of innerHTML: **Avoid inserting user-entered data directly into innerHTML. You can use the whitelist mechanism to filter out unsafe tags, or use safe APIs such as innerText and textContent.
  • **Use Content Security Policy (CSP): **CSP can set whitelists and blacklists to limit the resource types and sources loaded by the page, thereby preventing malicious scripts and styles from being loaded.
  • **Use security sandbox:** Apply sandbox technology to limit the environment in which JavaScript runs, thereby preventing malicious JS script operations or tampering with the document DOM, etc.
  • **Update and upgrade your browser: **Update your browser regularly to reduce the impact of known red flag vulnerabilities.

6. Summary

XSS attacks can be divided into three types: reflected XSS attacks, stored XSS attacks and DOM XSS attacks.

A reflected XSS attack is to inject the attack script into the URL, and the injected code will be reflected to the browser when the server parses it, thereby achieving the purpose of the attack.

A stored XSS attack is when the attacker submits malicious script code to the database of the victim website. When other users browse the page containing the malicious script link, the script will be executed, thereby achieving the attacker’s purpose.

DOM-type XSS attack is a cross-site attack that exploits DOM security vulnerabilities in the HTML parsing process. Attackers tamper with DOM elements and attributes in web pages and inject malicious code to steal users’ sensitive information or perform other illegal operations. .

Developers should implement multiple security measures against the above three XSS attacks. For example, filter and encode input and output data, limit user input content, length, format, etc., and avoid directly putting user input content into the innerHTML function; use Content Security Policy (CSP) and other security measures to defend against DOM-type XSS attacks ;Use security sandbox, restricted access control, browser upgrade, etc. to deal with reflected XSS and stored XSS attacks. Developers need to strengthen their understanding of Xss attacks and implement security solutions to protect users’ network security.

Appendix

My official account

My QR code